Re: [Fwd: Re: Fwd: Re: postfix, dovecot auth and rip/lip]
At 03:53 PM 3/18/2008, you wrote: Wietse Venema wrote: > There is no reason why this can't be implemented, but I want to > avoid chaos in Postfix. So I don't want to keep adding more and > more ad-hoc parameters to the Postfix-to-SASL library interface. > > This interface is also used by Cyrus SASL and may be used for other > non-Cyrus implementations later. Changes to this API should be > carefully designed. Alex: > I understand. It's have to wait unless it can really be necessary for > more users and could be part of 'official' API. > I wrote about it as "for not near future" wish. As for 'some day'. In the case of the Postfix TLS library we ran into a similar problem, when APIs kept growing with more and more function call parameters. To maintain some level of elegance I introduced function calls with named parameters: TLS_SERVER_START(...stuff..., ctx = smtpd_tls_ctx, stream = state->client, log_level = var_smtpd_tls_loglevel, timeout = var_smtpd_starttls_tmout, ...more stuff...); C does not have named parameter lists, but they can be emulated with a little bit of C preprocessor fu. This looks like a usable approach for extending the Postfix-to-SASL library interface. Another approach is using a call-back function that queries Postfix for specific information. This is the approach taken with the Postfix Milter client, but it is probably over-kill for SASL. Wietse I'll throw my request in for this feature to be prioritized. We're using SMTP AUTH in postfix, querying the dovecot auth socket which works well; however, in our virtual hosted environment it requires that customers login with their full email address. Great in practice, but impractical when a hosting account moves over and has 300, or 3000 subscribers all using username only authentication. In that case, with dovecot currently the query is written to compare full email (if exists to the database) and if not, it compares the local_ip value of the connection to the database to do a domain match so the full domain is not required and then concatenates the domain which was just looked up by local_ip to the username for a full match. As the dovecot auth socket does not receive the local_ip information from postfix currently, this is not an option. It would help us out a lot if this feature were in there. I noticed somebody wrote a patch for postfix-2.3.8. I'm not a C programmer myself, so I'm not sure of it's quality or if this code could be used or committed to the postfix source tree. Found at http://preview.tinyurl.com/b87z44 - Nathan
Re: [Fwd: Re: Fwd: Re: postfix, dovecot auth and rip/lip]
At 06:45 PM 2/10/2009, post...@corwyn.net wrote: At 07:22 PM 2/10/2009, Nate wrote: At 03:53 PM 3/18/2008, you wrote: Wietse Venema wrote: We're using SMTP AUTH in postfix, querying the dovecot auth socket which works well; however, in our virtual hosted environment it requires that customers login with their full email address. Great in practice, but impractical when a hosting account moves over and has 300, or 3000 subscribers all using username only authentication. In that case, with dovecot currently the query is written to compare full email Couldn't you just change the sql query to compare the login passed in to the left side of the User ID/email address? Rick Unfortunately not, because the server runs multiple domains, so if it compared r...@% for instance in the query it would likely return multiple results, and dovecot will reject on multiple results, as it should. - Nate
Set outgoing IP address based on sender e-mail address?
Hey all, Sorry if this is a FAQ, I can't find anything about it online. Is it possible to set the outgoing IP address of a locally-generated message based on the sender's e-mail address? IE, if a message is submitted via 'pickup' with the sender address of 'u...@example1.com', use the IP '192.168.100.10' for the outgoing IP address. If a message is submitted via 'pickup' with the sender address of 'u...@example2.com', use the IP '192.16.100.11' for the outgoing IP address. Basically, in a virtual hosting environment, I'd like to ensure that mail sent via one user cannot affect another user's IP's 'reputation', and I'd also like the outgoing mail server to match the incoming MX record for the domain. Thanks! -Nate
Do not include first 'Received' header when received via 465/587?
Hi, I have a client that I have set up the submission port and 465 (for submission over raw SSL). They use many different internet connections, and a few of them (Panera Bread in particular) have their IP on blacklists. Because the IP gets included in the first Received header from Postfix, some sites are catching the mail as spam (apparently some sites scan all 'Received' headers for DNSBL's? Sigh.) I've found tricks to remove or edit Received headers for specific IP's via 'header_checks'; however, what I'd like to be able to do is either remove the header altogether or modify the IP to one of the IP's that we own for all authenticated users that submit mail via 465/587. I'm not finding a clean way of doing this; hoping someone has been down this road before so I don't have to reinvent the wheel. ;) Appreciate any advice - thanks much! -Nate
Re: Do not include first 'Received' header when received via 465/587?
On Thu, 5 Mar 2009, Wietse Venema wrote: I've found tricks to remove or edit Received headers for specific IP's via 'header_checks'; however, what I'd like to be able to do is either remove the header altogether or modify the IP to one of the IP's that we own for all authenticated users that submit mail via 465/587. $ man header_checks | less +/IGNORE $ man header_checks | less +/REPLACE Thanks.. I've got that, but I'm not finding a way to only match mail that comes in via Submission, and not via regular SMTP. Is there a way to tell Postfix to only apply the header_checks to certain mail processes? I suppose I could do something like 'no_header_body_checks' on the main SMTP process, but it'd be nice to be able to do some checks there in the future too. -Nate
Re: Do not include first 'Received' header when received via 465/587?
On Fri, 6 Mar 2009, Noel Jones wrote: Victor Duchovni wrote: Probably want a ":" in there to make it a valid header: header_checks.pcre: if /^Received:/ /\n\tby (smtp\.example\.com \(Postfix\) with ESTMPS?A id \w+)/ REPLACE X-Submitted: to $1 endif Yes, thanks. I extrapolated from this, and got something that works perfectly - thanks so much! if /^Received:/ /.*by (hostname \(Postfix\) with ESMTPS?A).*/ REPLACE X-Submitted: to $1 endif My servers do additional processing, and add received headers after this, so no issues with spam filters (as mentioned later in this thread.) Appreciate the help!